DevOps defence: three practical considerations to help dev teams follow “shifting left” principles

by

Mark Troester

-

5 months ago

Get ready to explore the future of marketing and elevate your business! The ‘What’s NEXT in Marketing 2025’ series is heading to Singapore, the Philippines, and Hong Kong. Don’t miss out!

Now that automation and artificial intelligence (AI) are enabling developers to create software and apps at scale, and at a faster pace than ever before, the question of security integration has become even more critical.

Australia’s data breach costs have jumped to AUD $3.82 million over the past five years. Yet, it seems that security remains a major hurdle for dev teams: our last DevSecOps research showed that 60% of Australian developers and IT decision makers don’t fully understand how security fits into DevSecOps.

The threat of real-world challenges and risks associated with late-stage security implementation means that dev team leaders need proven strategies and best practices to integrate security measures more seamlessly in the development lifecycle.

Intricacies of DevSecOps: embedding security needs a “shift left” approach

Contrary to common belief, vulnerable or outdated components, authentication issues or sophisticated phishing attacks creating vulnerabilities aren’t to blame for security issues.

Oftentimes, it is simply configuration errors that are the culprit: a staggering 80% or more of ransomware attacks can be traced to common configuration errors in software and devices.

Now, taking a stand-alone security approach isn’t fit for purpose here, it can actually really make things worse by slowing down the production process – i.e. if development teams go from development to QA to staging and only then insert a security review.

This type of approach pushes things downstream, which in turn greatly increases the cost, time and effort to address issues at the end of the development cycle rather than doing it earlier.

Shift-left security and compliance in DevOps involves checking for security issues earlier in the development process, allowing developers to identify coding issues and fix defects quicker before they become more difficult to manage.

What about scale?

The scale at which enterprises need to operate today is adding to the complexity of ensuring high levels of security throughout the development lifecycle.

Scale isn’t just about the number of physical devices or servers. Tech ecosystems can comprise multiple clouds and various device types that require support and span across multiple user and computer capacity locations.

A growing number of compliance and security standards also need to be assessed and managed, which can end up becoming a tall order for dev teams.

Three practical considerations effective DevSecOps and compliance

  1. The continuous compliance approach

This is about confirming the initial development configuration to help protect against drifts as the dev team moves forward. With this approach, the security of the software development life cycle (SDLC) can be elevated by constantly verifying whether configuration drift has been detected and remediated.

Continuous automation makes this possible at scale across Dev, Test and Prod environments.

  1. A place for both human and automation zones

While humans are responsible for developing the app or the software, automation is the best ally when it comes to performing routine actions, backed-up by a two-person rule which is a sensible code review process.

Setting up an automation zone can start with a series of actions, such as committing to some kind of code repository, and triggering an automation server to build it. Then, it begins deploying and pushing the changes through to the appropriate environment. The user is then partially removed from the process and will be notified if something goes wrong or if they must be involved in the approval process.

This combination of human-assisted automation reduces human errors and frees users to work on higher-level, more interesting work.

  1. Human-readable, machine-enforceable policies driving automation at scale

Achieving automation at scale extends the concept of infrastructure as code (IaC) to policy as code (PaC), moving from managing security and compliance rules with spreadsheets to defining the policies using human-readable code that is enforceable using machine automation.

In graduating to a policy-as-code approach, DevOps teams are not only performing automated configuration management, but they are also conducting automated continuous policy checks and remediation.

At the end of the day, it’s really all about bolstering security throughout the development lifecycle and doing it at scale. For DevOps leaders, the advantages of adopting a best practice approach for handling security earlier in the DevOps process are clear.

By embedding security in the DevOps process, as well as using the right technology framework based on shifting left practices, organisations can promote innovation and maximise security efforts.

This article is written by Mark Troester, Vice President of Strategy, Progress

The insight is published as part of UPTECH MEDIA’s thought leadership piece, written within its repository of contributor articles.

UPTECH MEDIA welcomes partner article contributions about the latest technology trends in the Asia-Pacific region. For inquiries and submissions, please send them to [email protected].

 

Happening in Singapore on 19-20 February 2025, the ‘What’s NEXT in Marketing: Singapore 2025’ event presents an exceptional opportunity for marketers and industry leaders to talk about the future of marketing and drive success in the Singaporean market! Register now to secure your slot!
Discover the latest trends in business communication from over 473 billion interactions in Infobip‘s ‘Conversational experience trends 2024‘ report. Mobile messaging, chat apps, and social media lead in customer engagement. Download here for FREE!

 

Share

RECENT ARTICLES

Salesforce partners with Adecco Group to streamline talent acquisition, strengthen client relationships
Chooks-to-Go to accelerate operational efficiency, customer experience with latest PLDT Enterprise partnership
NETS introduces Lawrence Goh to board of directors, succeeding Eddie Khoo
PH central bank partners with Singapore’s MAS to elevate cross-border payments 
Agent2.AI joins forces with Alibaba to bring together enhanced product demos, sales efficiency
Ellipse 3

RELATED ARTICLES

CelcomDigi’s new AI experience centre to drive digital transformation, accelerate development using emerging tech (1)
Progress unveils latest application development features with GenAI integration, improved design system, accessible data visualisation_11zon
UPTECH MEDIA (20)
Ellipse 3

FEATURED ARTICLES

Tenable_Exclusive Interview_11zon
National Healthcare Group’s Matthew Chua on championing AI adoption, innovation across healthcare sector following recent appointment (1)
Tech in Focus How SUSE accelerates innovation, strengthens security across enterprise-grade products through open-source solutions_11zon

Subscribe to UpTech Media Newsletter

Video Title Here: The Indonesian on-ground activation status

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos.

Video Title Here: The Indonesian on-ground activation status

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos.

Video Title Here: The Indonesian on-ground activation status

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos.